CAN Bus/OBDII Hacking?

[truck]

Anyone been able to figure this out yet? I have an obdii to rj45 cable but can't figure out how to connect it to savvycan. I'm able to use it with wireshark but there's no CAN data coming through, only random TCP/UDP data (although it does reveal some internal IPs, so far they all match up with previous models). Sadly the cybertruck service manual has absolutely zero info on anything. Unlike all the other manuals which have plenty of info. I'm assuming that the cybertruck has the same configuration as the new models where everything is done through the OBD port over DoIP. Gonna try to order a OBD to USB and bluetooth to see if it'll make configuration a little bit easier.

Edit 9/6/24 8:15 PM CST:
Current findings:
Some actions like turn signal, enabling/disabling offroad mode, and pulling up/disabling cameras pop up, they stick out like a sore thumb as opposed to all the other logs. I don't know how IGMP works and I don't know why the requests are doubled. Hex also looks identical throughout all the different actions (might be encrypted ?‍) I sadly don't know how to replay requests in wireshark. Feel free to PM if you want the pcap file. Will try logging a normal drive tomorrow to see if anything special pops up. I am an amateur at car hacking so please bear with me if anything seems obvious/wrong!

Edit 9/6/24 9:30 PM CST:
Turns out that the IGMP request is sent whenever the car is trying to access the cameras. Started up nmap and found some interesting things.
192.168.90.100 has ports 22,8001,8080,8081 open
You can (try) to ssh into the car at 192.168.90.100:22, problem is you'll be denied due to "publickey". I don't know what the bottom two things are in the authorized principals so I censored it, top two are the exact same VINs of the car. If it says remote ssh is not allowed due to it being a "customer vehicle" go to controls -> service -> scroll down to the switch that says "allow remote debugging".

Port 8001 has nothing useful, can't figure out anything to do with it. Port 8080 just results in a page that says "404: Not Found". Port 8081 is interesting, you must specify to visit the site using https, if you don't it returns "Client sent an HTTP request to an HTTPS server." When you do connect with https, it asks for a certificate.

In the wireshark logs, there’s a whole bunch of 5 digit ports that 192.168.90.100 is sending requests from.
In my wireshark logs, there are two IPs that show up which claim they have no open ports even though they communicate with 192.168.90.100 with various ports. These two ips are 192.168.90.30 and 192.168.90.107.

Sponsored

 

[Gaximus]

From my understanding CT has gone away from canbus for inner vehicle communication to using an Ethernet protocol. I haven’t dug into this my self, but have seen articles that they are using ethernet, and since ethernet is a type of cable, and there are no Ethernet cables in the cyber truck, I assume they mean some protocol that is typically used on Ethernet.

 

[truck]

From my understanding CT has gone away from canbus for inner vehicle communication to using an Ethernet protocol. I haven’t dug into this my self, but have seen articles that they are using ethernet, and since ethernet is a type of cable, and there are no Ethernet cables in the cyber truck, I assume they mean some protocol that is typically used on Ethernet.

Wait, does DoIP mean that they don't use CAN to communicate through the car anymore? If so, I don't know why it's not showing up in wireshark. It has DoIP support built in.

 

[moniker]

Looking forward to reading about your progress here.

Another interesting thing to explore would be the data wire at the end of the 48v in the frunk and roof. Referenced as LIN (Local Interconnect Network)
https://service.tesla.com/docs/Publ...UID-EC88B024-50C5-4B34-B716-FDED8CF3FBE0.html

I imagine this is how the Tesla light bar communicates and gets integrated into the off-road app, vs just toggling the power via main menu.

Would be curious what data could be read/write from there.

An interesting project would be to read from the network when the parking lights are selected and use that touch screen control to enable your scene lighting.

 

[truck]

Looking forward to reading about your progress here.

Another interesting thing to explore would be the data wire at the end of the 48v in the frunk and roof. Referenced as LIN (Local Interconnect Network)
https://service.tesla.com/docs/Publ...UID-EC88B024-50C5-4B34-B716-FDED8CF3FBE0.html

I imagine this is how the Tesla light bar communicates and gets integrated into the off-road app, vs just toggling the power via main menu.

Would be curious what data could be read/write from there.

An interesting project would be to read from the network when the parking lights are selected and use that touch screen control to enable your scene lighting.

When the light bar arrives in 5 years, I might remember to do this lol

 

[tmeyer3]

Would be interested to see how the packets are organized. Can you open one and paste it here?

 

[truck]

Would be interested to see how the packets are organized. Can you open one and paste it here?

Do you want the decoded stuff or the bytes? Kinda new to wireshark.

 

[tmeyer3]

Do you want the decoded stuff or the bytes? Kinda new to wireshark.

Just a hex dump is fine.

 

[JackCypher]

Anyone been able to figure this out yet? I have an obdii to rj45 cable but can't figure out how to connect it to savvycan. I'm able to use it with wireshark but there's no CAN data coming through, only random TCP/UDP data (although it does reveal some internal IPs, so far they all match up with previous models). Sadly the cybertruck service manual has absolutely zero info on anything. Unlike all the other manuals which have plenty of info. I'm assuming that the cybertruck has the same configuration as the new models where everything is done through the OBD port over DoIP. Gonna try to order a OBD to USB and bluetooth to see if it'll make configuration a little bit easier.

I would assume the CT has an OBD automotive interface which may give you access to the CAN messages - that would be the safest way to *see* the messages.

I would NOT recommend attempting to hack into wiring, harnesses for CAN Bus. CAN Bus is a timed [critical] communication system where even the wire impedance needs to be matched - and termination is required for the timing to operate correctly. The CAN controllers [interface chips] detect that.

It can be so critical - that it can be impracticable to 'repair' a broken CAN Bus harness.

I recall the Youtube TFL guys reported that Range Rover Service SCRAPPED their entire new range rover cutting the CAN harness when attempting to add the factory winch option.

They were utterly shocked you could not 'crimp' the harness back together - CAN bus speeds are in the 20 - 40MHz - this is so fast you could send live video - which is typically send on COAX cable. CAN bus has some error correction built in - but that is limited - it is not made to work with a broke, frayed harness.

..so don't f**k with it...simply disconnecting the sub-system would be detected and could cause the system to go into limp mode, error mode, etc.

You'd likely find a 'cap' with matching resistors on expansion CAN ports like for example winch control or the light bar. [not everything \option would be using CAN bus]

I am not a EE, but work on critical system that employ such things as CAN bus...I know enough to not mess with trying to wire one up myself.



Regards
Jack

 

[johwiltb]

Do you want the decoded stuff or the bytes? Kinda new to wireshark.

I'm a network analyst, and have some experience with Wireshark. If you have the pcap file, I'd definitely check it out!

 

[TickTock]

can bus is still used for local communication and you can tap into those easily enough but have also been wondering about how to tap into the Etherloop.

@truck , how were you able to capture traffic? (what hardware? connected where?)

 

[CTSoFL]

This is exactly how Skynet becomes self aware.

 

[mongo]

I would NOT recommend attempting to hack into wiring, harnesses for CAN Bus. CAN Bus is a timed [critical] communication system where even the wire impedance needs to be matched - and termination is required for the timing to operate correctly. The CAN controllers [interface chips] detect that.

It can be so critical - that it can be impracticable to 'repair' a broken CAN Bus harness.

I recall the Youtube TFL guys reported that Range Rover Service SCRAPPED their entire new range rover cutting the CAN harness when attempting to add the factory winch option.

They were utterly shocked you could not 'crimp' the harness back together - CAN bus speeds are in the 20 - 40MHz - this is so fast you could send live video - which is typically send on COAX cable. CAN bus has some error correction built in - but that is limited - it is not made to work with a broke, frayed harness.

I don't see them calling out what specifically was cut. It might have been FlexRay, not CAN. Either can be repaired though (if it was only a cut wire without shorting things out).
CAN max is 1 Mbps, CAN FD goes to 5 Mbps. Cybertruck uses both, mostly in point to point links.

https://www.lrdefender.org/communications_network-890.html

 

[mongo]

can bus is still used for local communication and you can tap into those easily enough but have also been wondering about how to tap into the Etherloop.

Via the Ethersnoop RJ45 connection. Other links are point to point and might not like being tapped, if you had a high impedance sniffer.

 

[JackCypher]

I don't see them calling out what specifically was cut. It might have been FlexRay, not CAN. Either can be repaired though (if it was only a cut wire without shorting things out).
CAN max is 1 Mbps, CAN FD goes to 5 Mbps. Cybertruck uses both, mostly in point to point links.

https://www.lrdefender.org/communications_network-890.html

Thanks for chiming in and finding the video! I had not seen that one since the initial 'We broke your Range Rover'

We need a healthy respect for the now very advanced electronics in cars...it is way beyond 'electrical'...

Regards
Jack

Sponsored